>Our attacks have shown that an fTPM cannot sufficiently protect its internal state against firmware or physical attacks. In such a scenario, a passphrase-only key protector of reasonable length provides better security than a TPM-only protector with a numeric PIN (5.3.1). This is in stark contrast to Microsoft’s claim that “BitLocker provides the most protection when used with a Trusted Platform Module” [29] (see also in 2.3). In fact, of all available protectors (seen in Figure 1), TPM-only is arguably the weakest protection strategy.
This might not be surprising to some, despite Windows hiding the GUI passphrase functionality behind some group policy settings, both "Require additional authentication at startup" and "Enhanced PIN", which isn't perhaps the most intuitive and a normal user might not even realize unless they notice the "normal" PIN is numerical-only. In any case, for the average person that might have their devices stolen, this is likely not to be a threat, but I think a passphrase should always be preferable, BitLocker doesn't support any better option.
Amateur-me thinks that it would not be too hard to prevent such an attack: Have a voltage fault detection circuit at all (TPM-relevant) supply pins that hard-locks the chip until it gets power cycled, and have those circuits be powered by on-chip capacitors that survive just a little longer than their time-to-trigger. Would that be feasible?
Note that the SPI bus sniffing attacks on dTPMs are simpler to mount (being passive) but also require direct access to the bus (motherboard), and unlike this attack can be prevented in software by knowing the public key of a primary key object on the TPM (e.g., the endorsement key) and using it to authenticate the TPM to the host.
That said, even a host using a dTPM with proper authentication of the dTPM has a problem if the SP is vulnerable to voltage fault injection attacks, because even though SPI bus sniffing wouldn't yield the unlocked FDE keys, the attacker presumably could get full control of the CPU and recover the unlocked FDE keys there.
In other words, the problem here is the voltage fault injection vulnerabilities in general. The fTPM part of it is not as big a deal as the total compromise of the whole system due to those voltage fault injection vulnerabilities.
> Honestly TPM is probably creating more bad than good at this point.
The problem isn't the TPM. The problem is the CPU (SP) being vulnerable to voltage fault injection attacks. You could be using no TPM and still have all your secrets leak if the host is fully compromised.
Why not simply abandon TPM and focus on making simple, trustable, massively parallel general-purpose hardware without backdoors for spy agencies and corporations?
Mine and I want a TPM, it's a device essential for modern laptop security.
_Even if you would be able to control every bit of firmware on your computer and there was no DRM or similar you still would want a TPM!_
through potential a different implementation and not some of the features build on top of it
like something like a TKey integrated into your CPU with some additions for securing the boot chain (including the EFI itself) would probably be a convenient, simple, way to have the necessary security without many of the problems ... or did I just reinvent TPM ?
Mine, and I like it to stay that way. A TPM can be a valuable tool for protecting my data, making it difficult if not impossible for anyone to decrypt my drives. TPM+PIN is hard to beat.
It says any TPM can be defeated in 2-3 hrs with physical access. Is the AMD one different? Can it be defeated over networks? And is this something I should be concerned about since I just bought a new AMD machine?
One of the authors here. This attack is relevant if your machine is physically exposed to attacks, e.g., in an office environment or while traveling, and if you don't use any additional pre-boot passphrase to protect the disk (but rely solely on AMD's fTPM).
When TPMs became popular, dedicated TPMs were mainly used, being a separate chip on the mainboard connected via the SPI or LPC bus. These were prone to (relatively primitive) bus sniffing attacks, where you would hook up a Logic Analyzer to the bus, watch a regular boot procedure grab the disk key, and then use software like Dislocker to extract all data from a USB Live Linux or alike.
Nowadays, most modern CPUs (both on Intel and AMD) ship firmware TPMs that are "included" with CPU die, making them safe against the bus sniffing attacks. However, they can still be prone to more sophisticated attacks like ours.
"Motivated by Windows 11’s push to use the TPM
for even more applications, we apply the vulnerability
to Microsoft BitLocker and show the first fTPM-based
attack against the popular Full Disk Encryption solution.
BitLocker’s default TPM-only strategy manages – without
any changes to the user experience – to swiftly step up
a user’s security in the face of a lost or stolen device.
However, as our work complements the established at-
tacks against dTPMs with an even more potent attack
against AMD fTPMs, a TPM-only configuration lulls a
non-technical user with high protection needs into a false
sense of security."
"Users who fear a physical attacker with reasonable
resources should opt for a TPM and PIN configuration.
When BitLocker identifies that the underlying TPM is
an fTPM, users should be urged to turn their PIN into
a passphrase."
I am wondering the same, considering the proliferation of AMD in the last few years I would be devastated to have to go back to Intel. Just when the Framework came out with their AMD versions too.
Access/privileges to execute on the host is required. I, personally, would not feel concerned unless I was a TPM user and knew I was a specific target.
"security properties of the TPM - like Bitlocker's TPM- only protector - can be defeated by an attacker with 2-3 hours of physical access to the target device"
So I take this is more of a data exfiltration type of attack?
I've not yet read past the abstract, though I've read (and responded to) a lot of the commentary here.
QUESTION FOR THE AUTHORS: Is there any way in which a voltage fault injection vulnerability in the SP can affect only the fTPM and not actually be a full host compromise but for the fTPM compromise?
I believe the answer to that has to be no. If you can compromise the SP you can compromise the whole system. Therefore this isn't really about fTPM. But you'll notice that many commenters are running away with this and saying that TPMs make systems less secure, which is not really correct.
Yes, TPMs are not used correctly by most BMC/BIOS implementations, or even by OSes, and there are vulnerabilities that arise from that misuse. But TPM 2.0 does provide what is needed to solve those issues.
The wholesale attacks on TPM 2.0 itself here are not warranted, especially if the SP vulnerabilities are more general rather than being specifically limited to fTPMs.
Relying on an TPM to rate-limit an attacker's ability to brute-force a comically short PIN and get the encryption key (Microsoft's promoted way to login to a Windows device), is less secure (once the TPM is exploited) than relying on the attacker to guess a high-entropy password to get the encryption key.
Password-less TPMs will always be fundamentally vulnerable. The only question is what is the price to break them. It can be very high (as seen in the Xbox).
Thanks for the pointer, we haven't checked out OPAL yet. It seems to be the most popular standard when it comes to "Self Encrypting Drives" (SED).
Looking into it shortly, I've found a paper from 2019 from Meijer et al. ([1]) finding several flaws with OPAL-compliant drives. They further find that BitLocker entirely depends on SSD-based encryption if the hardware advertises it. This finding's nature is very similar to ours in that BitLocker's Disk Encryption is insecure/unreliable in particular hardware configurations.
Stupid question: was there no responsible disclosure and is there no cve assigned?
Seems like a rather practical attack (or am I missing something?
Do the researchers consider it a known fact that that fTPM is broken by design and thus do think that nobody will get hurt? It would make sense to require an additional passphrase on fTPM devices for bitlocker. Was there a statement from Microsoft or AMD?
From the paper: "All security-relevant findings discussed in this paper were responsibly disclosed to AMD, Microsoft, and the systemd-cryptenroll maintainers. The systemd-cryptenroll maintainers quickly got back to us to discuss specific mitigation strategies."
TPM based disk encryption is mostly useful as theft protection, so that companies, education facilities or government agencies can provision 100,000 devices without having to match smartcards/fobs/disk passwords to devices and users. (Which often leads to terrible security practices, like backup passwords shared between devices etc.)
So cracking it in 3 hours by amateurs is pretty bad, because now even not too sophisticated thieves can start looking for crypto wallets or sensitive data to ransom.
Not an expert, but I think the biggest exposure most consumers might face is lost/stolen devices where it's conceivable an adversary could have physical access.
Mostly academia and nation states. Physical access will always be king and this provides one more avenue for adversaries to bypass encryption more easily.
It's worth mentioning that standalone TPM chips from Infineon and others are a lot more hardened than Intel or AMD's fTPMs. Infineon's TPMs are tested against fault injection attack, package removal, side channels and so on.
Gnarly, especially because these vulnerabilities seem unpatchable. Luckily, it seems TPM+PIN should remain safe if your PIN is difficult enough to brute-force, though.
As this includes an attack against the secure processor, does this also pose risks to any DRM keys?
[+] [-] 0x_rs|2 years ago|reply
This might not be surprising to some, despite Windows hiding the GUI passphrase functionality behind some group policy settings, both "Require additional authentication at startup" and "Enhanced PIN", which isn't perhaps the most intuitive and a normal user might not even realize unless they notice the "normal" PIN is numerical-only. In any case, for the average person that might have their devices stolen, this is likely not to be a threat, but I think a passphrase should always be preferable, BitLocker doesn't support any better option.
[+] [-] patrakov|2 years ago|reply
"Our attack utilizes the AMD-SP’s vulnerability to voltage fault injection attacks [14] to extract a chip-unique secret from the targeted CPU."
"The attack requires access to the motherboard of the target system (4.1), particularly its SPI bus and voltage regulators."
In other words, it is required to open the laptop and connect custom (but cheap) hardware to the motherboard to disrupt its normal operation.
[+] [-] moring|2 years ago|reply
[+] [-] Arrath|2 years ago|reply
What's old is new again!
[+] [-] cryptonector|2 years ago|reply
That said, even a host using a dTPM with proper authentication of the dTPM has a problem if the SP is vulnerable to voltage fault injection attacks, because even though SPI bus sniffing wouldn't yield the unlocked FDE keys, the attacker presumably could get full control of the CPU and recover the unlocked FDE keys there.
In other words, the problem here is the voltage fault injection vulnerabilities in general. The fTPM part of it is not as big a deal as the total compromise of the whole system due to those voltage fault injection vulnerabilities.
[+] [-] jhoelzel|2 years ago|reply
Every time I think about the millions of computers that will be declared worthless this year, it makes me a little bit more angrier.
[+] [-] neilv|2 years ago|reply
https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/
(Or, for laptops with closed WiFi and no Ethernet, use this installer: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-in... )
[+] [-] sidewndr46|2 years ago|reply
[+] [-] cryptonector|2 years ago|reply
The problem isn't the TPM. The problem is the CPU (SP) being vulnerable to voltage fault injection attacks. You could be using no TPM and still have all your secrets leak if the host is fully compromised.
[+] [-] judge2020|2 years ago|reply
What is this a reference to? Every computer I've found will let you boot into the bios and disable secure boot or add new keys to the trust store.
[+] [-] IYasha|2 years ago|reply
Also, made me remember (once again) decade old presentation on TPM: https://www.youtube.com/watch?v=XgFbqSYdNK4
[+] [-] candiddevmike|2 years ago|reply
[+] [-] Cheeeetah|2 years ago|reply
[+] [-] taraharris|2 years ago|reply
Whose computer is this, anyway?
[+] [-] dathinab|2 years ago|reply
_Even if you would be able to control every bit of firmware on your computer and there was no DRM or similar you still would want a TPM!_
through potential a different implementation and not some of the features build on top of it
like something like a TKey integrated into your CPU with some additions for securing the boot chain (including the EFI itself) would probably be a convenient, simple, way to have the necessary security without many of the problems ... or did I just reinvent TPM ?
[+] [-] jeroenhd|2 years ago|reply
[+] [-] flangola7|2 years ago|reply
[+] [-] cryptonector|2 years ago|reply
TFA is fine, but thinking that this is specifically a vulnerability because of TPM is a serious mistake. Not using a TPM won't make you safer.
[+] [-] rasz|2 years ago|reply
[+] [-] aceazzameen|2 years ago|reply
[+] [-] cwerling|2 years ago|reply
When TPMs became popular, dedicated TPMs were mainly used, being a separate chip on the mainboard connected via the SPI or LPC bus. These were prone to (relatively primitive) bus sniffing attacks, where you would hook up a Logic Analyzer to the bus, watch a regular boot procedure grab the disk key, and then use software like Dislocker to extract all data from a USB Live Linux or alike.
Nowadays, most modern CPUs (both on Intel and AMD) ship firmware TPMs that are "included" with CPU die, making them safe against the bus sniffing attacks. However, they can still be prone to more sophisticated attacks like ours.
[+] [-] smarx007|2 years ago|reply
"Motivated by Windows 11’s push to use the TPM for even more applications, we apply the vulnerability to Microsoft BitLocker and show the first fTPM-based attack against the popular Full Disk Encryption solution. BitLocker’s default TPM-only strategy manages – without any changes to the user experience – to swiftly step up a user’s security in the face of a lost or stolen device. However, as our work complements the established at- tacks against dTPMs with an even more potent attack against AMD fTPMs, a TPM-only configuration lulls a non-technical user with high protection needs into a false sense of security."
"Users who fear a physical attacker with reasonable resources should opt for a TPM and PIN configuration. When BitLocker identifies that the underlying TPM is an fTPM, users should be urged to turn their PIN into a passphrase."
[+] [-] goolz|2 years ago|reply
[+] [-] daneel_w|2 years ago|reply
[+] [-] gen3|2 years ago|reply
So I take this is more of a data exfiltration type of attack?
Edit: here is the POC https://github.com/PSPReverse/ftpm_attack
[+] [-] cryptonector|2 years ago|reply
QUESTION FOR THE AUTHORS: Is there any way in which a voltage fault injection vulnerability in the SP can affect only the fTPM and not actually be a full host compromise but for the fTPM compromise?
I believe the answer to that has to be no. If you can compromise the SP you can compromise the whole system. Therefore this isn't really about fTPM. But you'll notice that many commenters are running away with this and saying that TPMs make systems less secure, which is not really correct.
Yes, TPMs are not used correctly by most BMC/BIOS implementations, or even by OSes, and there are vulnerabilities that arise from that misuse. But TPM 2.0 does provide what is needed to solve those issues.
The wholesale attacks on TPM 2.0 itself here are not warranted, especially if the SP vulnerabilities are more general rather than being specifically limited to fTPMs.
[+] [-] nyanpasu64|2 years ago|reply
[+] [-] 1827163|2 years ago|reply
[+] [-] anthk|2 years ago|reply
[+] [-] dist-epoch|2 years ago|reply
[+] [-] FeistySkink|2 years ago|reply
[1]: https://trustedcomputinggroup.org/wp-content/uploads/TCG_Sto...
[+] [-] cwerling|2 years ago|reply
Looking into it shortly, I've found a paper from 2019 from Meijer et al. ([1]) finding several flaws with OPAL-compliant drives. They further find that BitLocker entirely depends on SSD-based encryption if the hardware advertises it. This finding's nature is very similar to ours in that BitLocker's Disk Encryption is insecure/unreliable in particular hardware configurations.
[1] https://ieeexplore.ieee.org/document/8835339
[+] [-] riedel|2 years ago|reply
Do the researchers consider it a known fact that that fTPM is broken by design and thus do think that nobody will get hurt? It would make sense to require an additional passphrase on fTPM devices for bitlocker. Was there a statement from Microsoft or AMD?
[+] [-] hnj2|2 years ago|reply
[+] [-] goolz|2 years ago|reply
[+] [-] creshal|2 years ago|reply
So cracking it in 3 hours by amateurs is pretty bad, because now even not too sophisticated thieves can start looking for crypto wallets or sensitive data to ransom.
[+] [-] dist-epoch|2 years ago|reply
That sounds pretty practical.
[+] [-] spacebanana7|2 years ago|reply
[+] [-] cryptonector|2 years ago|reply
[+] [-] drakythe|2 years ago|reply
[+] [-] asldkfjaslkdj|2 years ago|reply
anyone did similar tests to the el-cheapo ones that will end up on 99% of computers around the world?
My bet is that messing with voltages on those chips too will expose all sorts of exploits too.
[+] [-] als0|2 years ago|reply
[+] [-] charcircuit|2 years ago|reply
[+] [-] dschuetz|2 years ago|reply
[+] [-] jeroenhd|2 years ago|reply
As this includes an attack against the secure processor, does this also pose risks to any DRM keys?
[+] [-] anthk|2 years ago|reply
No, thanks, bioctl(4) works well under OpenBSD for disk encryption and so will do under HyperbolaBSD.
[+] [-] sampa|2 years ago|reply
trust only open-source software crypto
[+] [-] snvzz|2 years ago|reply